Cyber Posture

CVE-2026-39911

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 29.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the…

more

Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

Mitigating Controls (NIST 800-53 r5)AI

SC-18 Mobile Code good match
prevent

Directly mitigates unsandboxed user-supplied JavaScript execution by requiring confinement of mobile code like JS expressions to isolated execution domains.

SC-2 Separation of System and User Functionality good match
prevent

Prevents the vulnerability by enforcing separation of user custom logic JavaScript functionality from system Node.js capabilities, blocking filesystem and environment access.

SC-50 Software-enforced Separation and Policy Enforcement good match
prevent

Enforces software-based separation and policy mechanisms, such as Node.js sandboxes, to isolate arbitrary JS execution from sensitive container resources and credentials.

Security SummaryAI

CVE-2026-39911 is an unsandboxed JavaScript execution vulnerability in Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f. The flaw exists in the Custom Logic policy block worker, which passes user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. This affects the software's handling of custom logic policies for authenticated Standard Registry users.

Authenticated Standard Registry users can exploit the vulnerability to execute arbitrary code remotely. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators. The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-668.

Mitigation is available via the fixing commit at https://github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebe and pull request https://github.com/hashgraph/guardian/pull/5929. Further details on the vulnerability and remediation are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce.

Details

CWE(s)
CWE-668

Affected Products

hedera
guardian
≤ 3.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of service for RCE (T1210), arbitrary file reads from container filesystem (T1005), access to sensitive credentials in environment variables (T1552), and forging authentication tokens to abuse valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References